-
Bug
-
Resolution: Done
-
Undefined
-
None
-
Pipelines 1.12.0
-
None
-
False
-
None
-
False
-
-
-
Pipelines Sprint 250
Description of problem:
I've followed the Using Tekton Chains to sign and verify image and provenance guide from our docs.
During step 6 though cosign fails to verify the image signature and attestation.
Prerequisites (if any, like setup, operators/versions):
- cosign v2.2.0
- Openshift Pipelines Operator
- Tekton cli
Steps to Reproduce
I've executed the following script: test2.sh
Actual results:
[build-and-push] INFO[0007] Pushing image to quay.io/csarta/chainstest:1020145204
[build-and-push] INFO[0008] Pushed image to 1 destinations
[write-url] quay.io/csarta/chainstest:1020145204
Waiting 90 seconds for images to appear in image registry
==============
cosign verify --key cosign.pub quay.io/csarta/chainstest@sha256:2200af53d33387535c754160c635e2e698d381c6b7a8abde55b306f803cc4610
Error: no matching signatures
main.go:69: error during command execution: no matching signatures
==============
cosign verify-attestation --key cosign.pub --type slsaprovenance quay.io/csarta/chainstest@sha256:2200af53d33387535c754160c635e2e698d381c6b7a8abde55b306f803cc4610
Error: no matching attestations:
main.go:74: error during command execution: no matching attestations:
Expected results:
The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key